MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X)

Description:

In case only certain network participants are to be granted network access, RADIUS authentication has to be used on the switch. If a network participant cannot authenticate itself via RADIUS and therefore cannot act as a RADIUS Supplicant, as an alternative this participant can also be authenticated via its MAC address. When using an XS series switch in most cases other network devices will be used due to the XS series featuring mostly SFP ports, although the authentication of end devices on the Ethernet ports is possible.

This article describes how MAC address authentication for a network device can be configured on an XS series switch, so that network access is only granted for the authenticated device.

Requirements:

• LANCOM router as RADIUS server
• XS series switch with LCOS SX as of version 5.10 Rel (download latest version) 
• LCOS as of version 10.30 on the router, which serves as the RADIUS server (download latest version) 
• LANtools as of version 10.30 (download latest version)
• Any web browser for accessing the webinterface of the XS series switch

Scenario:

A switch without RADIUS supplicant support is connected to an XS series switch. The aim is to ensure, that only the switch can be connected directly to the XS series switch and no other network devices can be connected instead and are able to communicate via this port. Therefore the switch is authenticated via its MAC address. Thus no additional configuration steps are necessary on the switch without RADIUS supplicant support.

Procedure:

1) Configuring the RADIUS server on the LANCOM router:

1.1) In LANconfig, open the configuration for the router, navigate to the menu RADIUS → Server and set a checkmark next to RADIUS authentication active.

1.2) Navigate to the menu RADIUS services ports.

1.3) Check that the authentication port is set to 1812.

1.4) Go to the menu IPv4 clients.

1.5) Create a new entry and enter the following parameters:

• IP address: Enter the XS series switch IP address so that it can authenticate itself as the RADIUS authenticator at the RADIUS server.
• Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
• Protocols: Check that the protocol is set to RADIUS.
• Client secret: Enter a password that the XS series switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.8.

1.6) Go to the menu User table.

1.7) Create a new entry and adjust the following parameters:

• Name / MAC address: Enter the MAC address of the network device, which is to be authenticated by its MAC address, in capital letters in the format 00:A0:57:12:34:56.
• Password: Enter the MAC address of the network device analogous to the parameter Name / MAC address. 
• Service type: From the drop-down menu, select Call check.
• Expiry type: From the drop-down menu, select Never so that the user account remains permanently valid.

1.8) This concludes the configuration of the RADIUS server on the LANCOM router. You can now write the configuration back to the device.

2) Configuring the RADIUS Authenticator on the switch:

2.1) Connect to the webinterface of the device and go to the menu System → AAA → Authentication List.

2.2) Select the entry dot1xList and click Edit.

2.3) Under the Available Methods select the option Radius and click on the upper arrow symbol, so that it is applied to the Selected Methods. Click Submit afterwards.

2.4) Change to the menu Security → Port Access Control → Configuration.

2.5) For Admin Mode select the option Enable and click Submit.

2.6) Go to the menu Security → RADIUS → Named Server.

2.7) Click Add to enter parameters for a RADIUS server.

2.8) Modify the following parameters and click Submit:

• IP Address/Host Name: Enter an IP address or the hostname of the RADIUS server which is to be used for the authentication.
• Server Name: Optionally you can edit the group name for the RADIUS server (in this example the name remains on the default setting Default-RADIUS-Server).  
• Port Number: Leave the RADIUS port on the default value 1812.
• Secret: Enter the Client secret set in step 1.5.
• Server Type: Select the option Primary. 

2.9) Go to the menu Security → Authentication Manager → Interface Configuration.

2.10) Select the interface used for configuration access (in this example the port 1/0/9), for Control Mode select the option Force Authorized and click Submit. With this setting no authentication is performed on this port.

2.11) Select a port to be authenticated (in this example 1/0/10), modify the following parameters and click Submit:

• Make sure, that the option Auto is selected for the Control Mode. Thereby no communication is possible via this port until the connected network participant has authenticated itself.
• For the Host Mode select the authentication method Multiple Host. Thereby only one network participant has to authenticate itself. Then all other participants can also communicate via this port. 
• Activate the MAB Mode (MAC-based Authentication Bypass). Instead of username and password the MAC address is used for authentication. 

2.12) Go to the tab Configuration, select the option Enable for the Admin Mode and click Submit.

2.13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.

2.14) Acknowledge the save process by clicking OK.